---
image: ubuntu:latest
stages:
  - Scan Early
  - Build
  - Scan
  - Release
before_script: []
variables:
  REGISTRY: registry.gitlab.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""
  IMAGE_TARBALL: container-$CI_COMMIT_SHORT_SHA.tar
  IMAGE_TAG: $REGISTRY:$CI_COMMIT_SHORT_SHA
  IMAGE_TAG_RELEASE: $REGISTRY:$CI_COMMIT_TAG
  IMAGE_TAG_BLEEDING: $REGISTRY:bleeding
  IMAGE_TAG_LATEST: $REGISTRY:latest
default:
  interruptible: yes
  retry: 2
  services:
    - name: docker:dind
      alias: docker
      command: ["--tls=false"]
  cache:
    - key: trivy-db
      paths:
        - .trivy
# Lightweight scanning where we check for repo misconfigs
Trivy Secrets:
  image:
    name: aquasec/trivy
    entrypoint: [""]
  stage: Scan Early
  retry: 0
  script:
    - trivy fs --exit-code 1 ./
Trivy Misconfiguration:
  image:
    name: aquasec/trivy
    entrypoint: [""]
  stage: Scan Early
  retry: 0
  script:
    - trivy config --severity HIGH,CRITICAL --exit-code 1 ./

# Building
Build Container:
  image: docker:latest
  cache: []
  before_script: []
  stage: Build
  script:
    # Basic Docker setup
    - docker --version
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $REGISTRY
    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
    # Set up build environment
    - docker buildx create --use
    - docker buildx inspect --bootstrap
    # Build the container
    - docker buildx build
        --platform linux/amd64
        --tag=$IMAGE_TAG
        --output type=oci,dest=$IMAGE_TARBALL
        .
    # Last-minute debug info
    - docker images
  artifacts:
    paths:
      - $IMAGE_TARBALL
    expire_in: 1h

# Meaty scanning for package vulns
Scan Container:
  image:
    name: aquasec/trivy
    entrypoint: [""]
  stage: Scan
  allow_failure: true
  retry: 0
  before_script:
    - mkdir container
    - tar xf $IMAGE_TARBALL -C container
  script:
    - trivy image
        --input container
        --platform linux/amd64
        --scanners vuln,secret,misconfig
        --severity HIGH,CRITICAL
        --ignore-unfixed
        --exit-code 1

# OCI image tagging
Tag SHA:
  image:
    name: quay.io/containers/skopeo:latest
    entrypoint: [""]
  interruptible: no # W: truthy value should be one of [false, true]
  cache: []
  before_script: []
  stage: Release
  script:
    - echo "$CI_REGISTRY_PASSWORD" | skopeo login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin # E: line too long (100 > 80 characters)
    - skopeo inspect oci-archive:$IMAGE_TARBALL
    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG
    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_BLEEDING
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG
Tag Release:
  image:
    name: quay.io/containers/skopeo:latest
    entrypoint: [""]
  interruptible: no # W: truthy value should be one of [false, true]
  cache: []
  before_script: []
  stage: Release
  script:
    - echo "$CI_REGISTRY_PASSWORD" | skopeo login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin # E: line too long (100 > 80 characters)
    - skopeo inspect oci-archive:$IMAGE_TARBALL
    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_RELEASE
    - skopeo copy --all oci-archive:$IMAGE_TARBALL docker://$IMAGE_TAG_LATEST
  rules:
    - if: $CI_COMMIT_TAG